Amid global cybercrime, accidental hacks risk jail

By Reynolds HoldingThe author is a Reuters Breakingviews columnist. The opinions expressed are his own.

Amid a global blitz of cybercrime, accidental hackers risk going to prison. A U.S. anti-hacking law is so broad that it may make any breach of an employer’s computer policy a crime. Recent attacks against Citigroup, Sony, the International Monetary Fund and others understandably feed demand for stiffer penalties. But prosecutors should avoid overkill with fat-fingered users of PCs and Macs.

Take the case against David Nosal. The executive recruiter is accused of getting information from his former employer’s computer system through an ex-colleague and using it to help his competing business. If that’s how it happened, the move violated the company’s policy and possibly amounted to the theft of trade secrets. But hacking?
That’s essentially the charge Nosal faces under the U.S. Computer Fraud and Abuse Act, or CFAA, an anti-hacking law that prohibits unauthorized use of computers. A California federal appeals court upheld the charge against Nosal in April, but was asked this week to reconsider. The panel said employers’ policies define what’s “authorized,” so prosecutors can argue that Nosal’s policy breach was criminal.

Saying it is criminal for a Social Security Administration employee to fish unauthorized through sensitive databases — as an Atlanta federal court ruled in January — sounds reasonable. But simply allowing what may be arbitrary or badly communicated corporate policies to define the law seems a lot less reasonable in Nosal’s case. Another use of CFAA involved a breach of social network MySpace’s policies. Lori Drew, a Missouri housewife, was initially convicted, though a judge overturned the decision in 2009.

But the problem with CFAA remains. If violating any company or website policy is potentially illegal, then even someone who checks personal email or a racy website at work could theoretically end up in prison. That’s surely not the intended result.

Rather than fix that problem, President Barack Obama’s administration and U.S. lawmakers want to toughen the law. Driven in part by costly recent cyber-attacks, the House of Representatives on May 25 considered a proposal to make all violations of CFAA felonies and increase maximum sentences from five to 20 years. But if Congress wants to get serious about hacking, it should first define the crime sensibly.

Call me paranoid if you wish, but I strongly believe there is a lot more hacking going on than the public is aware of. Those who are most at risk are the whistle blower’s who can’t afford expensive IT security. The serious muckraker blogger who garner’s widespread appeal is most at risk. The internet, like never before, allows for citizen journalism to expose the anti-competitive practices of big business. The serious blogger’s who are engaged in investigative journalism exposing corporate greed are opening the public’s eyes by lifting the kimono on anti-competitive practices. Big business has long been accustomed to dismissing their occasional detractor’s. Now, they finding that the serious blogger with a substantial following is a serious threat to their heretofore secret ways of disadvantaging the public. These bloggers/muckrakers/investigators are at constant risk of being hacked by rogue elements associated with big business wanting to find out who and how they are getting their information.

This issue is similar to problems that exist in law enforcement everywhere. It’s not the worst crimes that get the most attention, but those that are easiest to document. Take driving regulations, for example: using strictly the volume of offenses charged, one might presume that exceeding the speed limit is the very most serious infraction… but no, it’s just the easiest to gather incriminating evidence. Cyber-crimes are most frustrating, since a capable perpetrator can lay deceptions that cover trails and incriminate others. The clumsy tyros leave the tracks an investigator can follow. The very design of the Internet would need to be reworked to build in a greater degree of traceable activities – and raise the spectre of Big Brother.

So what happens in a case like mine,some years back after very easily accessing a database with millions of SSN, personal and monetary information. I anonymously sent the owner of the system detailed documentation of how I gained entry and what was needed to protect that data correctly. In my eyes I was helping to protect the company, other nefarious people could have taken the data and sold it, that was never my intension.

Some weeks later they found out it was me and I was fired. In todays world I could be put in jail, so what would my incentive be if I accidentally stumbled on NPI today I should not be afraid or penalized for doing the the right thing and report it? though in todays culture I could still go to jail. The problem is that the people who are judging simply don’t understand technology and until large corporations get burned because hacking laws are nonsensical interpreted and used this situation will never change.

What do they call it when the government monitors civilian internet traffic? How do they subvert the fifth amendment? Not testifying against oneself includes, papers and effects, in other words, a hard drive is inadmissible evidence if used against the owner.

[…] there is additionally the serious risk of similar prosecution for inadvertant or genuinely ignorant information system abuse. What is readily evident is that law enforcement and the courts definitely do not share […]